Friday August 10 2018 1530 30 Mins
My Stripper Name is Bubbles Sunset: What SEO Meme Marketing Means for Social Engineering
You’re mindlessly scrolling through Facebook when you see your friend share a post and comment, “Mine is Bubbles Sunset!”
You click. It’s a meme that reads: “What’s your stripper name? It’s the name of your first pet and the first street you lived on! Comment with your answers, and share with your friends!”
Are alarm bells going off in your head yet?
Security-savvy internet browsers know to be on the lookout for the digital version of a mustached man in a trench coat, like emails selling discounted Viagra. But as you’ve gotten smarter about avoiding these obvious bids for information, attackers and online marketers have gotten subtler to persuade you to divulge personal information. Every second, users willingly divulge sensitive information in comments on social media memes like the stripper name post because they don’t see them as a threat.
In this talk, Hannah Silvers — social engineer and SEO marketing content strategist —brings the two worlds together. Using (hilarious) real-life examples, she will illustrate how social media memes are hotbeds of valuable PII for marketers and attackers alike, how these memes encourage users to engage with and share them, and the ways attackers can make use of them as an attack vector.
Of course, the talk won’t stop at the doom and gloom. The presenter will discuss implications to the work of security educators and what users can do to mitigate the risk these memes present once they understand how they work.
Hannah Silvers: @hannah_silvers
Hannah Silvers is a writer, editor, and content strategist based in Atlanta, GA. During the day, she writes and presents SEO content marketing strategy for nonprofit service providers. But after the ride home, she moonlights as the director of outreach for CG Silvers Consulting and a lexicographic content contributor for Dictionary.com, charting the course of the English language through definitions of slang, politics, pop culture, and emoji. Hannah is also a veteran of Social-Engineer, LLC, holding corporate technical writing and vishing experience as well as the current record of youngest contestant to enter the SECTF booth at DEF CON.
Back To Schedule
Friday August 10 1600 50 Mins
From Introvert to SE: The Journey
In 20 years I learned how to step outside my introverted personality to explore the world in a more successful way, but not without bumps and bruises which taught me valuable lessons.
This is my story of that journey which I hope to convey to those listening that being a deep introvert should not prevent them from trying and achieving goals in life up to and including being a professional social engineer and beyond. I wrap up with the specific lessons I learned over the course of that time, so others can reap the benefits of those lessons in a much shorter time frame.
Ryan MacDougall: @joemontmania
Ryan MacDougall is a Senior Social Engineer Pentester for Social-Engineer LLC, who has over 20 years’ experience in the information technology world and 5 years in the security space specifically. Naturally a deep introvert, he has achieved goals and experienced life that early on did not seem possible or even imaginable. With the help of professionals and experts in the field of psychology, he amassed techniques to navigate the social world to achieve goals he wanted and some he never knew he wanted.
Back To Schedule
Friday August 10 2018 1655 50 mins
Mr. Sinatra Will Hack You Now
Across the globe for millennia upon millennia, a cabal of social engineers have been working to manipulate realities, collective and singular. They influence decision making processes in a matter of minutes and leave no evidence of their presence. They’ve made camp in your computers, your cars, your places of worship, and your schools. They may be doing it right now as you read this. They are everywhere. They are musicians.
Neil Fallon @npfallon
Neil Fallon is the lyricist, singer, and rhythm guitar player of the rock band Clutch. Since forming in 1991, Clutch has released 11 full length records and has performed numerous times in North America, Europe, South America, Australia, and Japan.
In 2009, Neil, along with his bandmates and manager, created Weathermaker Music, a completely independent record label. To date, Weathermaker Music has had 58 world wide releases. The most recent release, “Psychic Warfare,” reached #11 on the Billboard Top 100 and #1 on Hard Rock & Rock Billboard chart.
Back To Schedule
Friday August 10 2018 1750 50 mins
In-N-Out – That’s What It’s All About
Without the right tools the engagement can be over before it begins, as upfront resistance can prevent you from entering with your tools. Billy Boatright demonstrates and discusses how to use social engineering tactics to get in without any difficulty. While most think outside of the box, Billy shows us how to think inside the box and embrace your own handicaps to arm yourself with advanced tactics and unfair advantages. Billy shows us how handicaps and familiar objects can be used to covertly carry your toolbox into an engagement, increasing your success. Rather than dealing with a perceived disadvantage, use it to exploit the world around you.
Billy Boatright: @fuzzy_l0gic
Billy began his social engineering career without even knowing it. He was a bartender on the Las Vegas Strip for the better part of a decade. He won numerous awards from all over the world as a Top-ranked Flair Bartender. He has taken the skills he learned behind the bar to the Information Security world. Billy has been a Judge for the Social Engineering Capture the Flag event at Def Con. He is also the namesake for the BSides Las Vegas Social Engineering Capture the Flag Championship Belt. Billy also volunteers time and expertise to the Las Vegas ISSA Chapter as a Board Member. He is also a member of the BSides Las Vegas Senior Staff.
Billy has multiple degrees and numerous certifications. However, when asked about them he will gladly quote George Moriarty, “The shining trophies on our shelves can never win tomorrow’s game.”
The Art of Business Warfare
Red Teams are designed to penetrate security in a real world test of effectiveness of security controls, policy, technology and infrastructure. Red Teams view security from an adversary perspective in order to simulate realistic attack scenarios that enable an organisation as a whole to prepare and protect against both simply and sophisticated threats. Red Teams build security culture and provide opportunities for staff to be trained using real world examples. During this presentation we will walk through a Red Team Assessment that simulates a state sponsored attack against Executives, and using their access to then test the entire security posture of the organisation from a digital, physical, social and supply chain.
Wayne has conducted security assessments for a range of leading Australian and international organisations. Wayne has unique expertise in Red Team Assessments, Physical, Digital and Social Engineering, and has presented to a number of organisations and government departments on the current and future state of the cyber security landscape in Australia and overseas.
Friday August 10 2018 1935 30 mins
Swarm Intelligence and Augmented Reality Gaming
What do a flock of starlings, a colony of warrior ants, and a hundred-person flash mob all have in common with the red team? Swarm intelligence, the collective behavior of individuals acting autonomously, is a concept that we can apply to human systems to unlock their potential. Swarming methodologies teach a group of individuals what to do, where to go, and how to operate as a team.
Nancy Eckert (Pongolyn) explores swarm intelligence through augmented reality gaming, where
she leads teams of agents in capture-the-flag style competitions across the world. She shows how to apply social engineering strategies to groups of individuals, with the goal of achieving a collective intelligence that is greater than the sum of its parts.
Nancy Eckert: @Pongolyn
Nancy Eckert (Pongolyn) is a systems analyst and web developer in Seattle, Washington. In the augmented reality game of Ingress, Pongo is a champion strategist and team organizer for “roughly a thousand cats” across the northwestern United States. She leads competitive team-based operations across the world, where she coordinates hundreds of agents under cover of secrecy to walk, bike, drive, climb, snowshoe, boat, fly, hack, and engineer their way to remote locations in order to score points for the game. She builds neural networks in her spare time.
Saturday August 11 2018 1530 30 Mins
Social Engineering from a CISO’s Perspective
Social Engineering is a powerful tool. With the weapons gathered through Open Source Intelligence (OSINT) gathering and well crafted vishing or phishing a Social Engineer wields incredible power to do good.
Unfortunately, for some the power of being a Social Engineer is one that they wield to show they are smarter than those around them and cause stress and fear doing damage to any potential relationship they or the department they represents.
This discussion will be about how to create meaningful, targeted phish and vish in an enterprise while strengthening information security from the real world perspective of a CISO as well as a few specifics to avoid. In conclusion this presentation will cover the importance of trust and how social engineering can help build or destroy trust.
Kathleen Mullin: @kate944032
Kate Mullin is an influential information security practitioner with more than 30 years of experience in various accounting, audit, risk, governance, and information security roles. She has been a CISO at various organizations including publicly traded, private, not-for-profit, and governmental entities. Kate established the role of CISO at Tampa Airport and at Healthplan Services.
Kate provides interim CISO and vCISO services, specifically executive and board consultation on governance, risk, compliance, and cyber security that includes stakeholder engagement, training and development, IT infrastructure management, social engineering, incident response, business continuity, and disaster recovery strategies.
Throughout her career, Kate has volunteered and participated in maturing information security as a profession. Kate is a former member of the ISACA CGEIT Certification and Credentials Committee and a past chapter president and CISA, CISM, CRISC, and CGEIT coordinator for West Florida ISACA. Kate has been a part of the CISO Coalition governing board.
Chris Roberts: @Sidragon1
Chris Roberts is a multi-colored bearded hacker that loves whiskey, kilts and really enjoys when strangers tell him he is a fine welshman.
Saturday August 11 2018 1655 50 mins
Hunting Predators: SE Style
It was just about 1 year ago that Chris announced the launching of The Innocent Lives Foundation. What has happened in the last year? What have we accomplished? What are our challenges? What is next in the future? This talk will help the community see what your support, money and love has done to save children and catch predators.
Chris Hadnagy: @humanhacker
Chris is a professional social engineer with over 16 years of experience. His passion is understanding the why not just the what. Chris has had the opportunity to work with some of the world’s greatest minds in learning how to use skills that might not be too common in the infused industry. You can find out more by looking at www.social-engineer.com
Back To Schedule
Saturday August 11 2018 1750 50 mins
On the Hunt: Hacking the Hunt Group
Dynamic duo DEF CON SECTF black badge winner Chris Silvers and ACE Hackware founder Taylor Banks return to the stage to take audiences on a hunt â€” of the hunt group, that is.
In this talk, Chris and Taylor will walk through the evolution of the “”you called me!”” vishing attack from 1980s phone pranking and 3-way calling to 2010s perceived phone system glitch exploits. You’ll learn how to engineer a successful “”simultaneous answer”” vishing call through reconnaissance, rapport-building, and attack. Most importantly, you’ll walk away with actionable strategies to prepare yourself and your organization against such attacks.
Oh, and the best part? Chris and Taylor will play real recordings of phone system glitch vishing calls on stage. Listen (and laugh) to what worked and what didn’t, then learn a little something through an interactive analysis of each call with the presenters.
Chris Silvers: @cgsilvers
Taylor Banks: @taylorbanks
Taylor Banks, Founder of ACE Hackware, has spent 15 years in information security. Experienced in applied hacking and countermeasures, Taylor has performed pen-tests and provided training for organizations including the FBI, NSA, US Navy and Marine Corps.
Chris Silvers is founder and CEO of CG Silvers Consulting as well as DEF CON black badge winner. Chris’ passion for education and 20 years of experience in information security have landed him on the presenter’s stage at conferences such as Derby Con and GrrCon.
Saturday August 11 2018 1840 50 mins
Social Engineering Course Projects for Undergraduate Students
The hard science disciplines (computer science, electrical and computer engineering) have already started investing heavily in cybersecurity education. Security experts, however, note that cybersecurity is a wider discipline than simply the [technical] fields, and professionals with backgrounds [in] the social sciences … will be needed in the cyber workforce of the future. The relevance of incorporating social sciences into the cybersecurity domain has been acknowledged by the National Academies of Sciences, Engineering, and Medicine and the Department of Homeland Security. Social science disciplines, such as sociology, criminology/criminal justice, anthropology, political science, and psychology are particularly adept at unpacking the complex facets of human behavior and should therefore be leveraged for their contributions to the area of cybersecurity. Yet, the social science arena remains weak in cybersecurity training and education of the future cyber workforce.
This talk shares an educator’s efforts to engage undergraduate students in a hands-on social engineering project across Fall 2017 and Spring 2018 semesters. It uses the experiential learning framework that promotes “learning by doing”. Specifically, this talk focuses on three sub-projects: (i) shoulder surfing where student teams competed against each other, (ii) laptop distraction, where student teams attempted to convince Temple University Computer Services employees to leave their laptops (designed for the class exercise) so that the students could remove a bogus ‘intellectual property’ file and place a fake ‘malware’ program on the employees’ machines, and (iii) convince individuals on Temple University campus to take a selfie with team members and a funny prop.
The talk also offers a comparative analysis of these projects over the two semesters, sharing the experiences and challenges of both the students and this educator. It also details the issues about designing projects that follow university ethics standards, training students in human subjects research ethics, generating relevant rubrics, and how to evaluate student engagement and learning. To conclude, the educator shares these cases discussed to initiate dialog in the area of hands-on learning for social science students. Audience feedback is welcomed as this educator is still exploring the experiential learning approach, especially in the area of social engineering.
Aunsuhl Rege: @prof_rege
Aunshul Rege is a criminology professor at Temple University. Her National Science Foundation sponsored research and education projects examine the human element of cybercrimes, focusing on behavior, decision-making, adaptation, and group dynamics. She is passionate about educating the next generation workforce across the social and hard sciences about the relevance of the human factor in cybersecurity. She has published in the area of cybersecurity education in USENIX, American Society for Engineering Education, and International Symposium on Resilient Control Systems (IEEE). She has a BSc in Computer Science, a BA and MA in Criminology, and an MA and PhD in Criminal Justice.